This repository has been archived by the owner on Mar 22, 2024. It is now read-only.
/
configmap.yaml
92 lines (83 loc) · 2.4 KB
/
configmap.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spire-server.fullname" . }}
namespace: {{ .Release.Namespace }}
data:
server.conf: |
server {
bind_address = "0.0.0.0"
bind_port = "8081"
socket_path = {{ .Values.socketPath | quote }}
trust_domain = {{ .Values.trustDomain | quote }}
data_dir = "/run/spire/data"
log_level = "{{ .Values.logLevel }}"
# AWS requires the use of RSA. EC cryptography is not supported
ca_key_type = "rsa-2048"
jwt_issuer = "{{ .Values.jwtIssuer }}"
default_x509_svid_ttl = "1h"
default_jwt_svid_ttl = "1h"
ca_subject = {
{{- with .Values.ca_subject }}
country = [{{ .country | quote }}],
organization = [{{ .organization | quote }}],
common_name = {{ .common_name | quote }},
{{- end }}
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
clusters = {
{{ .Values.clusterName | quote }} = {
service_account_allow_list = ["{{ .Release.Namespace }}:{{ .Release.Name }}-agent"]
}
}
}
}
KeyManager "disk" {
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
}
Notifier "k8sbundle" {
plugin_data {
namespace = "{{ .Release.Namespace }}"
config_map = {{ .Values.bundleConfigMap | quote }}
}
}
{{- with .Values.upstreamAuthority.disk }}
{{- if eq (.enabled | toString) "true" }}
UpstreamAuthority "disk" {
plugin_data {
cert_file_path = "/run/spire/upstream_ca/tls.crt"
key_file_path = "/run/spire/upstream_ca/tls.key"
{{- if ne .secret.data.bundle "" }}
bundle_file_path = "/run/spire/upstream_ca/bundle.crt"
{{- end }}
}
}
{{- end }}
{{- end }}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}
{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }}
telemetry {
Prometheus {
host = "0.0.0.0"
port = 9988
}
}
{{- end }}